On 22 April 2014 22:28, Ronald F. Guilmette <[email protected]> wrote: > > In message <[email protected]>, > Charles Swiger <[email protected]> wrote: > >>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette <[email protected]> wrote >>: >>> In the aftermath of this whole OpenSSL brouhaha... which none other than >>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10, >>> in terms of awfulness... I do wonder if anyone has taken the time or effort >>> to run the OpenSSL sources through any kind of analyzer to try to obtain >>> some of the standard sorts of software science metrics on it. >> >>Sure. Running clang's static analyzer against openssl-1.0.1g yields: >> >>Bug Type Quantity >>All Bugs 182 >> >>Dead store >> Dead assignment 121 >> Dead increment 12 >> Dead initialization 2 >> >>Logic error >> Assigned value is garbage or undefined 3 >> Branch condition evaluates to a garbage value 1 >> Dereference of null pointer 27 >> Division by zero 1 >> Result of operation is garbage or undefined 9 >> Uninitialized argument value 2 >> Unix API 4 > > Thank you for doing this. > > Perhaps it goes without aying, but I'll say it anyway. The above results > are at once both enlightening and disgusting. > > Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL. I hope > that they take the time to do what you have done *and* also to drive every > bleedin' last one of these numbers to zero. I feel sure that the vast > majority of the issues uncovered by clang are not in any sense exploitable, > however its the one or two or three that are that worry me. > > > Regards, > rfg > > > P.S. I was reading last night about VP8. In that case, apparently, > the formal specification for that protocol *is* the code. (See RFC > 6386, Section 1.) > > If you have time, Charles, perhaps you could run this same analysis on > that code too, and report numbers for that as well. > > I am *not* looking forward to the day when I'll be rooted because I was > watching funny kitten videos on YouTube. So where are your patches to fix these issues? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"